HA remote access with KeenDNS

DJTerentjev · January 10, 2019, 12:17am

I have zyxel router (keenetic ultra II) with build in DNS servise - KeenDNS which give you remote access to the router with third-level domains name and any local device with fourth level domain name. Connection is https. So I can accesses to HA authorization page, but after login just “Unable to connect to Home Assistant”.
I can see: “Login attempt or request with invalid authentication from 192.168.1.1” on front page and nothing in the log.
I tried add to configuration:

http:
  base_url: https://my.domain.keenetic.pro:8123
  api_password: my_password
  trusted_networks: 
    - 192.168.1.1
  ip_ban_enabled: True
  login_attempts_threshold: 10

But nothing works.
Could someone advise what else I can try?

flamingm0e · January 10, 2019, 12:19am

Remove https:// from your base URL

DJTerentjev · January 10, 2019, 12:37am

Thank you for help, but didn’t work . I’m not sure why I need port number, because there is no port number in my link in browser. Port number is set in router. So I tried with and without port.
If there is any type of log I can catch apart of main one?

DJTerentjev · January 10, 2019, 12:45am

I catch this exception in Fire fox:
https://pastebin.com/PTps7qzg
Have on idea about it…

flamingm0e · January 10, 2019, 12:46am

What’s doing your SSL? I don’t see any SSL settings in your config. You either need SSL on home assistant or a reverse proxy running your SSL

DJTerentjev · January 10, 2019, 12:58am

From router manual:

By default, remote access to the device over the level 4 domain via the KeenDNS service works like this - you connect to the Internet center via the HTTPS protocol, and then you connect to the local device via the HTTP protocol via the HTTP protocol. Therefore, on the device for which we use the domain name of the 4th level, in its settings should not be excluded the possibility of using an HTTP connection, i.e. so that the option “Use only HTTPS” is not enabled. If you want to access via HTTPS, you can manually get your own certificate for the 4th level domain through the command line interface (CLI)

From router to HA required HTTPS or HTTP is enough?

DJTerentjev · January 10, 2019, 1:03am

I am not sure, but can be router providing SSL for lower level?

flamingm0e · January 10, 2019, 1:26am

Only if it’s acting as a reverse proxy

DJTerentjev · January 10, 2019, 1:31am

I tried:

http:
base_url: my.domain.keenetic.pro:8123
use_x_forwarded_for: true
trusted_proxies:
- 192.168.1.1
trusted_networks:
- 192.168.1.1

Loading match longer but same result.

flamingm0e · January 10, 2019, 2:35am

Do you understand what a reverse proxy is?

Changing the HA config isn’t going to fix your router…

DJTerentjev · January 10, 2019, 2:42am

Not at all I need to get SSL certificate and than I can use it with my domain name. Is it correct?

flamingm0e · January 10, 2019, 3:19am

If you want to use https, but if your router doesn’t support the necessary settings for reverse proxy in HA you’ll need to do something else.

DJTerentjev · January 11, 2019, 5:53pm

I just got reply from manufacture. Router can proxy some ports only:

HTTP: 80, 81, 280, 591, 777, 5080, 8080, 8090 и 65080
HTTPS: 443, 5083, 5443, 8083, 8443 и 65083.

What port is better to use?
Sorry for stupid question, but why HA using 8123 instead of 80 lets say?

flamingm0e · January 11, 2019, 6:59pm

You can use any of them.
Use 443 if you don’t want to have to put in a port number when connecting.

Lots of applications use their own ports. Port 80 on a Linux machine is reserved for root only (any port below 1024), and as such would complicate setups, and cause problems.

Forward port 443 to 8123

DJTerentjev · January 11, 2019, 8:16pm

KeenDNS settings:
domane name: my
Host (local net): 192.168.1.51
TCP port: 443

Port forwarding:
Input: Provider
Output: 192.168.1.51
Protocol: TCP/443
Destination port: 8123

In result at HA logging page: Error: Something went wrong
And nothing in the log. Is it correct settings?

flamingm0e · January 11, 2019, 8:47pm

I understand you want to use your router for this, but I don’t think it is going to work. There are things that HA needs to work with reverse proxies.

As an example, this config contains a few items that most normal reverse proxies do not.

If the settings of the built in reverse proxy are not capable of meeting these requirements, then it simply will not work.

DJTerentjev · January 11, 2019, 9:35pm

OK. It is more complicated than I thought! Any way than you for help!

Hypnotia · January 29, 2019, 11:57am

flamingm0e,

Thank you for the input but I cannot actually understand the root cause. My configuration is as follows:

HAAS.IO running in local network 192.168.1.X:8123
KeenDNS acting as reverse proxy associates 4th level DNS name with local network IP 192.168.1.X:8123
KeenDNS uses SSL

If i try to get access through 4th level domain name, remote HAAS.IO installation will respond and I will see the login page.

Having entered correct login, HAAS.IO reports “unable to connect”. Why? There is traffic, but login fails.

Regards

flamingm0e · January 29, 2019, 1:13pm

There are required settings for it to work, which, if you do not have access to change on your reverse proxy, will not work. I pointed to the documentation which shows the settings for NGINX. Without these settings, and with a standard reverse proxy configuration, NGINX will do the same thing as you describe.

The problem 100% solely lies in the REVERSE PROXY CONFIGURATION, which apparently you don’t have access to.

Hypnotia · January 29, 2019, 1:40pm

I am sorry for the stupid question. Is NGNIX included into HASS.IO or additional installation is required?